Problem with my NAT box

aq_mishu · 12-19-2005, 06:56 AM

Hi there, I'm having a trouble with my NAT box. Here is the code i'm using now...

#!/bin/bash

# Script for iptables NAT and port forwarding

# Ext IF = eth0, WAN IP = X.X.X.X
# Int IF = eth1, LAN IP range = a.a.a.a/24
# Here is the NAT Table
# Soucre Dest Remarks
# LAN 0/0 Let them go to 0/0
# 0/0:25 a.a.a.b:25 Let the ppl access the mail server
#
# Deleting and flushing the default and existing chains.
iptables -F
iptables -t nat -F
iptables -X

# Setting the counters to zero
iptables -Z
iptables -t nat -Z

# The default important rules, blocking malicious ports
iptables -A INPUT -p tcp -m multiport --destination-port 111,135,139,199,445,587,593,631,4444,6000 -j DROP
iptables -A INPUT -p udp -m multiport --destination-port 69,135,137,138 -j DROP

# Setting up for Port forwarding
iptables -t nat -A PREROUTING -p tcp -i eth0 -d X.X.X.X. --dport 25 -j DNAT --to a.a.a.b:25
iptables -t nat -A PREROUTING -p tcp -i eth0 -d X.X.X.X --dport 110 -j DNAT --to a.a.a.b:110
iptables -t nat -A PREROUTING -p tcp -i eth0 -d X.X.X.X --dport 80 -j DNAT --to a.a.a.b:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d X.X.X.X --dport 443 -j DNAT --to a.a.a.b:443
iptables -A FORWARD -p tcp -i eth0 -d a.a.a.b -j ACCEPT

# Some rules important
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT

# Setting NAT for local users
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to X.X.X.X
#iptables -A FORWARD -i eth0 -o eth0 -j DROP

# Saving and restarting iptables
service iptables save
service iptables restart

# End of codes...

Now here is my questions and problems... With this, I can make my servers behind the NAT and it works fine. One thing I can not do... If I type webmail.mydomain.com from my desktop (That is behind the NAT too), I can't connect. I need to use the LAN ip to connect. My DNS server is out of the LAN. And I do not want to use any other DNS except it. I have no chance to config any DNS for the LAN. Now what can I do??

Please somebody give me a suggestion...

branden_burger · 12-19-2005, 11:41 AM

Nomoshkar.

I don't think you need to have such an elaborate script for iptables - just allow only the ports you need in the FORWARD chain, and DROP everything else by default.

For more info, read this, especially the example iptables files.
http://iptables-tutorial.frozentux.n...-tutorial.html

And about only allowing a specific DNS server through to your private LAN, simply do this in addition to having an ESTABLISHED,RELATED rule in the FORWARD chain.

iptables -A FORWARD -p udp --dport 53 -d ip.of.dns.server -j ACCEPT

You could also do:

iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -d ip.of.dns.server -j ACCEPT

if you wished to be more specific, where eth1 is your local facing interface, eth0 is your internet facing interface.

Cheers!
RAB ke pele bolo.

win32sux · 12-19-2005, 04:24 PM

branden_burger is completely correct... you really shouldn't have any need to "block malicious ports"... you need to block/filter *ALL* ports and then allow only the ones you need/want... in practical terms, you should set your policies to DROP...

read dumb idea #1 to understand why:

http://www.ranum.com/security/comput...itorials/dumb/

this is what your script should probably look like instead:

Code:

#!/bin/bash

iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -X
iptables -X -t nat
iptables -X -t mangle

iptables -Z
iptables -Z -t nat
iptables -Z -t mangle

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let's filter any outgoing DNS queries which
# aren't headed toward *our* DNS:
iptables -A FORWARD -p UDP -i eth1 -o eth0 -d ! ip.of.dns.server \
--dport 53 -m state --state NEW -j REJECT

# Some DNS servers allow fallback to TCP,
# so let's knock that out also:
iptables -A FORWARD -p TCP -i eth1 -o eth0 -d ! ip.of.dns.server \
--dport 53 -m state --state NEW -j REJECT

# Allow all other outgoing traffic from the LAN to the WAN. This is
# not the optimal way of doing things (it's best to make specific
# rules), but since I don't know what kinda outgoing connections
# you actually do want/need I can't write any specific rules:
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 25 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 110 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 443 \
-m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 25 -j DNAT --to a.a.a.b:25

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 110 -j DNAT --to a.a.a.b:110

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 80 -j DNAT --to a.a.a.b:80

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 443 -j DNAT --to a.a.a.b:443

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to X.X.X.X

BTW, notice how each PREROUTING rule has a FORWARD rule that goes along with it...

EDIT: here's an example of how it would look like with SPECIFIC rules for traffic from the LAN to the WAN:

Code:

#!/bin/bash

iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -X
iptables -X -t nat
iptables -X -t mangle

iptables -Z
iptables -Z -t nat
iptables -Z -t mangle

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let's only accept outgoing DNS queries to *OUR* DNS server:
iptables -A FORWARD -p UDP -i eth1 -o eth0 -d ip.of.dns.server \
--dport 53 -m state --state NEW -j ACCEPT

# Let's allow our clients on the LAN to surf HTTP sites:
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 80 \
-m state --state NEW -j ACCEPT

# Let's allow our clients on the LAN to surf HTTPS sites:
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 443 \
-m state --state NEW -j ACCEPT

# Let's allow our clients on the LAN to use FTP sites:
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 21 \
-m state --state NEW -j ACCEPT

# ETC... ETC... ETC...

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 25 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 110 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p TCP -d a.a.a.b --dport 443 \
-m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 25 -j DNAT --to a.a.a.b:25

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 110 -j DNAT --to a.a.a.b:110

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 80 -j DNAT --to a.a.a.b:80

iptables -t nat -A PREROUTING -p TCP -i eth0 -d X.X.X.X \
--dport 443 -j DNAT --to a.a.a.b:443

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to X.X.X.X